Azure Key Vault : Support for KeyVault certificates.

Author: rohmano

src/ResourceManager/KeyVault/Commands.KeyVault.Test/Commands.KeyVault.Test.csproj

@@ -65,19 +65,20 @@
       <HintPath>..\..\..\packages\Microsoft.Azure.Graph.RBAC.3.2.0-preview\lib\net45\Microsoft.Azure.Graph.RBAC.dll</HintPath>
     </Reference>
     <Reference Include="Microsoft.Azure.KeyVault, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
-      <SpecificVersion>False</SpecificVersion>
-      <HintPath>..\..\..\packages\Microsoft.Azure.KeyVault.1.0.0\lib\net45\Microsoft.Azure.KeyVault.dll</HintPath>
+      <HintPath>..\..\..\packages\Microsoft.Azure.KeyVault.1.0.13-cert-preview\lib\net45\Microsoft.Azure.KeyVault.dll</HintPath>
+      <Private>True</Private>
     </Reference>
     <Reference Include="Microsoft.Azure.Management.Authorization">
       <HintPath>..\..\..\packages\Microsoft.Azure.Management.Authorization.2.0.0\lib\net40\Microsoft.Azure.Management.Authorization.dll</HintPath>
+      <Private>True</Private>
+    </Reference>
+    <Reference Include="Microsoft.Azure.Management.KeyVault, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
+      <SpecificVersion>False</SpecificVersion>
+      <HintPath>..\..\..\packages\Microsoft.Azure.Management.KeyVault.1.0.2-cert-preview\lib\net40\Microsoft.Azure.Management.KeyVault.dll</HintPath>
     </Reference>
     <Reference Include="Microsoft.Azure.Common.NetFramework">
       <HintPath>..\..\..\packages\Microsoft.Azure.Common.2.1.0\lib\net45\Microsoft.Azure.Common.NetFramework.dll</HintPath>
     </Reference>
-    <Reference Include="Microsoft.Azure.Management.KeyVault, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
-      <HintPath>..\..\..\packages\Microsoft.Azure.Management.KeyVault.1.0.1\lib\net40\Microsoft.Azure.Management.KeyVault.dll</HintPath>
-      <Private>True</Private>
-    </Reference>
     <Reference Include="Microsoft.Azure.ResourceManager, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
       <SpecificVersion>False</SpecificVersion>
       <HintPath>..\..\..\packages\Microsoft.Azure.Management.Resources.2.20.0-preview\lib\net40\Microsoft.Azure.ResourceManager.dll</HintPath>
@@ -185,7 +186,7 @@
     <Compile Include="UnitTests\SetKeyVaultSecretAttributeTests.cs" />
     <Compile Include="UnitTests\SetKeyVaultSecretTests.cs" />
   </ItemGroup>
-  <ItemGroup>
+  <ItemGroup>    
     <None Include="packages.config">
       <SubType>Designer</SubType>
     </None>
@@ -210,6 +211,7 @@
     <None Include="Scripts\proddata\pfxtest1024.pfx" />
     <None Include="Scripts\RunKeyVaultTests.ps1" />
     <None Include="Scripts\RunUITests.ps1" />
+    <None Include="Scripts\VaultCertificateTests.ps1" />
     <None Include="Scripts\VaultKeyTests.ps1" />
     <None Include="Scripts\VaultManagementTests.ps1" />
     <None Include="Scripts\VaultSecretTests.ps1" />

src/ResourceManager/KeyVault/Commands.KeyVault.Test/Scripts/Common.ps1

@@ -14,6 +14,7 @@
 
 $global:createdKeys = @()
 $global:createdSecrets = @()
+$global:createdCertificates = @()
 
 $invocationPath = Split-Path $MyInvocation.MyCommand.Definition;
 
@@ -55,6 +56,14 @@ function Get-SecretName([string]$suffix)
     return 'pshts-' + $global:testns + '-' + $suffix
 }
 
+<#
+.SYNOPSIS
+Get test certificate name
+#>
+function Get-CertificateName([string]$suffix)
+{
+    return 'pshtc-' + $global:testns + '-' + $suffix
+}
 
 <#
 .SYNOPSIS
@@ -107,6 +116,16 @@ function Get-ImportKeyFile1024([string]$filesuffix, [bool] $exists=$true)
     }
 }
 
+
+<#
+.SYNOPSIS
+Get file path from common data directory
+#>
+function Get-FilePathFromCommonData([string]$fileName)
+{
+    return Join-Path $invocationPath "commondata\$fileName"
+}
+
 <#
 .SYNOPSIS
 Remove log files under the given folder.
@@ -171,6 +190,16 @@ function Cleanup-OldSecrets
 }
 
 
+<#
+.SYNOPSIS
+Removes all certificates starting with the prefix
+#>
+function Initialize-CertificateTest
+{
+    $keyVault = Get-KeyVault
+    $certificatePattern = Get-CertificateName '*'
+    Get-AzureKeyVaultCertificate $keyVault  | Where-Object {$_.Name -like $certificatePattern}  | Remove-AzureKeyVaultCertificate -Force
+}
 
 <#
 .SYNOPSIS
@@ -220,6 +249,30 @@ function Cleanup-SingleSecretTest
     $global:createdSecrets.Clear()    
 }
 
+<#
+.SYNOPSIS
+Removes all created certificates.
+#>
+function Cleanup-SingleCertificateTest
+{
+    $global:createdCertificates | % {
+       if ($_ -ne $null)
+       {
+         try
+         {
+            $keyVault = Get-KeyVault
+            Write-Debug "Removing certificate with name $_ in vault $keyVault"
+            $catch = Remove-AzureKeyVaultCertificate $keyVault $_ -Force -Confirm:$false
+         }
+         catch 
+         {
+         }
+      }
+    }
+
+    $global:createdCertificates.Clear()    
+}
+
 <#
 .SYNOPSIS
 Run a key test, with cleanup.
@@ -248,6 +301,18 @@ function Run-SecretTest ([ScriptBlock] $test, [string] $testName)
    }
 }
 
+function Run-CertificateTest ([ScriptBlock] $test, [string] $testName)
+{   
+   try 
+   {
+     Run-Test $test $testName *>> "$testName.debug_log"
+   }
+   finally 
+   {
+     Cleanup-SingleCertificateTest *>> "$testName.debug_log"
+   }
+}
+
 function Run-VaultTest ([ScriptBlock] $test, [string] $testName)
 {   
    try 
@@ -360,3 +425,17 @@ function Equal-OperationList($left, $right)
 
     return (-not $diff)
 }
+
+function Equal-String($left, $right)
+{
+    if (([string]::IsNullOrEmpty($left)) -and ([string]::IsNullOrEmpty($right)))
+    {
+        return $true
+    }
+    if (([string]::IsNullOrEmpty($left)) -or ([string]::IsNullOrEmpty($right)))
+    {
+        return $false
+    }    
+    
+    return $left.Equals($right)
+}

src/ResourceManager/KeyVault/Commands.KeyVault.Test/Scripts/ControlPlane/KeyVaultManagementTests.ps1

@@ -49,13 +49,17 @@ Param($rgName, $location, $tagName, $tagValue)
             "backup",
             "restore")
     $expectedPermsToSecrets = @("all")
+    $expectedPermsToSecrets = @("all")
+    $expectedPermsToCertificates = @("all")
 
     Assert-AreEqual 1 @($actual.AccessPolicies).Count
     Assert-AreEqual $objectId $actual.AccessPolicies[0].ObjectId
     $result = Compare-Object $expectedPermsToKeys $actual.AccessPolicies[0].PermissionsToKeys
     Assert-Null $result
     $result = Compare-Object $expectedPermsToSecrets $actual.AccessPolicies[0].PermissionsToSecrets
     Assert-Null $result
+    $result = Compare-Object $expectedPermsToCertificates $actual.AccessPolicies[0].PermissionsToCertificates
+    Assert-Null $result
 }
 
 <#
@@ -238,11 +242,12 @@ function Test-SetRemoveAccessPolicyByUPN
 
     $PermToKeys = @("encrypt", "decrypt", "unwrapKey", "wrapKey", "verify", "sign", "get", "list", "update", "create", "import", "delete", "backup", "restore")
     $PermToSecrets = @("get", "list", "set", "delete")
-
-    $vault = Set-AzureRmKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -UserPrincipalName $upn -PermissionsToKeys $PermToKeys -PermissionsToSecrets $PermToSecrets -PassThru
-
-    CheckVaultAccessPolicy $vault $PermToKeys $PermToSecrets
-    if (-not $global:noADCmdLetMode) {
+    $PermToCertificates = @("get", "list", "set", "delete")
+    
+    $vault = Set-AzureRmKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -UserPrincipalName $upn -PermissionsToKeys $PermToKeys -PermissionsToSecrets $PermToSecrets -PermissionsToCertificates $PermToCertificates -PassThru
+	
+    CheckVaultAccessPolicy $vault $PermToKeys $PermToSecrets $PermToCertificates
+    if (-not $global:noADCmdLetMode) {	
         Assert-AreEqual $upn (Get-AzureRmADUser -ObjectId $vault.AccessPolicies[0].ObjectId)[0].UserPrincipalName
     }
 
@@ -256,16 +261,17 @@ function Test-SetRemoveAccessPolicyBySPN
 
     $PermToKeys = @()
     $PermToSecrets = @("get", "set", "list")
-
-    $setAccessPolicyFunc = { Set-AzureRmKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ServicePrincipalName $spn -PermissionsToKeys $PermToKeys -PermissionsToSecrets $PermToSecrets -PassThru }
-
+    $PermToCertificates = @("get", "set")
+    
+    $setAccessPolicyFunc = { Set-AzureRmKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ServicePrincipalName $spn -PermissionsToKeys $PermToKeys -PermissionsToSecrets $PermToSecrets -PermissionsToCertificates $PermToCertificates -PassThru }
+    
     if ($global:noADCmdLetMode) {
         Assert-Throws { &$setAccessPolicyFunc }
     }
     else{
         $vault = &$setAccessPolicyFunc
 
-        CheckVaultAccessPolicy $vault $PermToKeys $PermToSecrets
+        CheckVaultAccessPolicy $vault $PermToKeys $PermToSecrets $PermToCertificates
 
         Assert-AreEqual $spn (Get-AzureRmADServicePrincipal -ObjectId $vault.AccessPolicies[0].ObjectId)[0].ServicePrincipalName
 
@@ -280,20 +286,20 @@ function Test-SetRemoveAccessPolicyByObjectId
 
     $PermToKeys = @("encrypt", "decrypt")
     $PermToSecrets = @()
+    $PermToCertificates = @("all")
 
     $vault;
 	if ($bypassObjectIdValidation.IsPresent)
 	{
-        $vault = Set-AzureRmKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -PermissionsToKeys $PermToKeys -BypassObjectIdValidation -PassThru
+        $vault = Set-AzureRmKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -PermissionsToKeys $PermToKeys -PermissionsToCertificates $PermToCertificates -BypassObjectIdValidation -PassThru
 	}
 	else
 	{
-        $vault = Set-AzureRmKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -PermissionsToKeys $PermToKeys -PassThru
+        $vault = Set-AzureRmKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -PermissionsToKeys $PermToKeys -PermissionsToCertificates $PermToCertificates -PassThru
 	}
 
-
-    CheckVaultAccessPolicy $vault $PermToKeys $PermToSecrets
-
+    CheckVaultAccessPolicy $vault $PermToKeys $PermToSecrets $PermToCertificates
+    
     Assert-AreEqual $objId $vault.AccessPolicies[0].ObjectId
 
     $vault = Remove-AzureRmKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -PassThru
@@ -308,10 +314,11 @@ function Test-SetRemoveAccessPolicyByCompoundId
 
     $PermToKeys = @("encrypt", "decrypt")
     $PermToSecrets = @()
-    $vault = Set-AzureRmKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -ApplicationId $appId -PermissionsToKeys $PermToKeys -PassThru
-
-    CheckVaultAccessPolicy $vault $PermToKeys $PermToSecrets
+    $PermToCertificates = @("list", "delete")
+    $vault = Set-AzureRmKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -ApplicationId $appId -PermissionsToKeys $PermToKeys -PermissionsToCertificates $PermToCertificates -PassThru
 
+    CheckVaultAccessPolicy $vault $PermToKeys $PermToSecrets $PermToCertificates
+    
     Assert-AreEqual $objId $vault.AccessPolicies[0].ObjectId
     Assert-AreEqual $appId $vault.AccessPolicies[0].ApplicationId
 
@@ -329,9 +336,10 @@ function Test-RemoveAccessPolicyWithCompoundIdPolicies
     # Add three access policies: ObjectId, (ObjectId, App1), (ObjectId, App2)
     $PermToKeys = @("encrypt", "decrypt")
     $PermToSecrets = @()
+    $PermToCertificates = @("all")
     $vault = Set-AzureRmKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -PermissionsToKeys $PermToKeys -PassThru
     $vault = Set-AzureRmKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -ApplicationId $appId1 -PermissionsToKeys $PermToKeys -PassThru
-    $vault = Set-AzureRmKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -ApplicationId $appId2 -PermissionsToKeys $PermToKeys -PassThru
+    $vault = Set-AzureRmKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -ApplicationId $appId2 -PermissionsToKeys $PermToKeys -PermissionsToCertificates $PermToCertificates -PassThru
     Assert-AreEqual 3 $vault.AccessPolicies.Count
 
     # Remove one policy if specify compound id
@@ -352,10 +360,11 @@ function Test-SetCompoundIdAccessPolicy
     # Add one compound id policy
     $PermToKeys = @("encrypt", "decrypt")
     $PermToSecrets = @()
-    $vault = Set-AzureRmKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -ApplicationId $appId -PermissionsToKeys $PermToKeys -PassThru
-
-    CheckVaultAccessPolicy $vault $PermToKeys $PermToSecrets
+    $PermToCertificates = @()
+    $vault = Set-AzureRmKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -ApplicationId $appId -PermissionsToKeys $PermToKeys -PermissionsToCertificates $PermToCertificates -PassThru
 
+    CheckVaultAccessPolicy $vault $PermToKeys $PermToSecrets $PermToCertificates
+    
     Assert-AreEqual $objId $vault.AccessPolicies[0].ObjectId
     Assert-AreEqual $appId $vault.AccessPolicies[0].ApplicationId
 
@@ -367,7 +376,7 @@ function Test-SetCompoundIdAccessPolicy
     $vault = Set-AzureRmKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -ApplicationId $appId -PermissionsToKeys @("encrypt") -PassThru
     Assert-AreEqual 2 $vault.AccessPolicies.Count
     $vault = Remove-AzureRmKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -ApplicationId $appId -PassThru
-    CheckVaultAccessPolicy $vault $PermToKeys $PermToSecrets
+    CheckVaultAccessPolicy $vault $PermToKeys $PermToSecrets $PermToCertificates
     Assert-AreEqual $objId $vault.AccessPolicies[0].ObjectId
     Assert-AreEqual $vault.AccessPolicies[0].ApplicationId $null
 
@@ -391,7 +400,8 @@ function Test-ModifyAccessPolicy
     # Add some perms now
     $PermToKeys = @("encrypt", "decrypt", "unwrapKey", "wrapKey", "verify", "sign", "get", "list", "update", "create", "import", "delete", "backup", "restore")
     $PermToSecrets = @("get", "list", "set", "delete")
-    $vault = Set-AzureRmKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -PermissionsToKeys $PermToKeys -PermissionsToSecrets $PermToSecrets -PassThru
+    $PermToCertificates = @("list", "delete")
+    $vault = Set-AzureRmKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -PermissionsToKeys $PermToKeys -PermissionsToSecrets $PermToSecrets -PermissionsToCertificates $PermToCertificates -PassThru
 
     CheckVaultAccessPolicy $vault $PermToKeys $PermToSecrets
     Assert-AreEqual $objId $vault.AccessPolicies[0].ObjectId
@@ -400,22 +410,29 @@ function Test-ModifyAccessPolicy
     $vault.AccessPolicies[0].PermissionsToKeys.Remove("unwrapKey")
     $vault = $vault.AccessPolicies[0] | Set-AzureRmKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -PassThru
 
-    $PermToKeys = @("encrypt", "decrypt", "wrapKey", "verify", "sign", "get", "list", "update", "create", "import", "delete", "backup", "restore")
-    CheckVaultAccessPolicy $vault $PermToKeys $PermToSecrets
+    $PermToKeys = @("encrypt", "decrypt", "wrapKey", "verify", "sign", "get", "list", "update", "create", "import", "delete", "backup", "restore")	
+    CheckVaultAccessPolicy $vault $PermToKeys $PermToSecrets $PermToCertificates
 
     # Change just the secrets perms
     $PermToSecrets = @("all")
     $vault = Set-AzureRmKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -PermissionsToSecrets $PermToSecrets -PassThru
-    CheckVaultAccessPolicy $vault $PermToKeys $PermToSecrets
+    CheckVaultAccessPolicy $vault $PermToKeys $PermToSecrets $PermToCertificates
 
     # Remove just the keys perms
     $PermToKeys = @()
     $vault = Set-AzureRmKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -PermissionsToKeys $PermToKeys -PassThru
-    CheckVaultAccessPolicy $vault $PermToKeys $PermToSecrets
-
+    CheckVaultAccessPolicy $vault $PermToKeys $PermToSecrets $PermToCertificates
+    
     # Remove secret perms too
     $PermToSecrets = @()
     $vault = Set-AzureRmKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -PermissionsToKeys $PermToKeys -PermissionsToSecrets $PermToSecrets -PassThru
+    CheckVaultAccessPolicy $vault $PermToKeys $PermToSecrets $PermToCertificates
+
+    # Finally remove certificates perms
+    $PermToCertificates = @()
+    $vault = Set-AzureRmKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -PermissionsToCertificates $PermToCertificates -PassThru
+    CheckVaultAccessPolicy $vault $PermToKeys $PermToSecrets $PermToCertificates
+
     Assert-NotNull $vault
     Assert-AreEqual 0 $vault.AccessPolicies.Count
 }
@@ -493,9 +510,11 @@ function Test-ModifyAccessPolicyNegativeCases
     # "all" plus other perms
     Assert-Throws { Set-AzureRmKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -PermissionsToKeys get, all }
     Assert-Throws { Set-AzureRmKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -PermissionsToSecrets get, all }
+    Assert-Throws { Set-AzureRmKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -PermissionsToCertificates get, all }
 
     # random string in perms
     Assert-Throws { Set-AzureRmKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -PermissionsToSecrets blah, get }
+    Assert-Throws { Set-AzureRmKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -PermissionsToCertificates blah, get }
 
     # invalid set of params
     Assert-Throws { Set-AzureRmKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName }
@@ -533,12 +552,14 @@ function Test-CreateDeleteVaultWithPiping
 
 function CheckVaultAccessPolicy
 {
-    Param($vault, $expectedPermsToKeys, $expectedPermsToSecrets)
+    Param($vault, $expectedPermsToKeys, $expectedPermsToSecrets, $expectedPermsToCertificates)
     Assert-NotNull $vault
     Assert-AreEqual 1 $vault.AccessPolicies.Count
 
     $compare = Compare-Object $vault.AccessPolicies[0].PermissionsToKeys $expectedPermsToKeys
     Assert-Null $compare
     $compare = Compare-Object $vault.AccessPolicies[0].PermissionsToSecrets $expectedPermsToSecrets
     Assert-Null $compare
+    $compare = Compare-Object $vault.AccessPolicies[0].PermissionsToCertificates $expectedPermsToCertificates
+    Assert-Null $compare
 }